Banking Trojan Coyote Steals Data by Simulating Interface Operations

📟 News

Date: 25/07/2025

The new variant of the banking Trojan Coyote exploits accessibility features in Windows, specifically the Microsoft UI Automation framework. In this way, the malware detects banking and cryptocurrency exchange websites visited by the user and steals their credentials.

Microsoft UIA is a framework designed to allow assistive technologies to interact with elements of Windows application interfaces: read their properties, control them, and monitor changes. Applications present their structure as a UI Automation tree, and the UIA API allows browsing this tree, obtaining data about interface elements, and interacting with them by emulating user actions. All of this is intended to enable people with disabilities to fully utilize all the capabilities of their devices.

As early as December 2024, specialists from Akamai warned that UIA could be used for credential theft, emphasizing that this technique would allow bypassing EDR protection in any version of Windows starting from XP.

Now Akamai reported that their predictions are coming true: since February 2025, experts have observed real attacks using this technique, and it is the first known case where malware exploits Microsoft UIA capabilities for data theft.

The banking trojan Coyote has been active since February 2024. This malware aims to steal credentials from 75 banking and cryptocurrency applications, primarily targeting users in Brazil. When the malware was first discovered, it used keylogging and phishing overlays, but since then, Coyote has undergone significant changes.

According to researchers, the new version of Coyote continues to steal data using traditional methods, but also has added functions in its malware code to exploit UIA, which are used when a user opens banking or cryptocurrency services in a browser.

If Coyote cannot identify the object by the window title, it uses UIA to extract the web address from the browser’s UI elements (tabs or address bar). It then compares the obtained result with a hardcoded list of 75 targeted services.

Among the banks and exchanges that Coyote targets using this method are: Banco do Brasil, CaixaBank, Banco Bradesco, Santander, Original bank, Sicredi, Banco do Nordeste, Expanse, as well as Binance, Electrum, Bitcoin, Foxbit, and others.

Although in this case the misuse of UIA is limited to the reconnaissance phase, Akamai specialists have demonstrated that UIA can also be used for the actual theft of credentials from targeted sites.

“Parsing nested elements of another application without UIA is a non-trivial task,” researchers say. “To effectively read the contents of nested elements of another application, a developer must have a good understanding of how the specific target application is structured. Coyote can perform checks regardless of whether the malware is online or offline. This increases the chances of successfully identifying a bank or cryptocurrency exchange to steal credentials.”

Experts remind us that on Android, the issue of abusing Accessibility Services is very acute and has long become widespread.

Related posts:
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers

Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic

Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…

Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI

The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.03.16 — Researchers force DeepSeek to write malware

According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…

Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →